Forensic Examination Standards                  


Forensic Examination Standards

A complete, competent forensic computer and data examination: 

  • Ensures that all examinations use properly prepared and verified, forensically sterile media. This ensures that there is no contamination by viruses', no contamination by previously examined data from another or the same case, and no contamination by other data that could be on the media. 
  • Examines, describes and properly documents the hardware that is the subject of the examination. 
  • Ensures that the original media and data are maintained in their original unaltered state during the examination. This will prevent loss or alteration of the original data and can be used to authenticate the validity of the data recovered.  It will also be a sound defense to lawsuits claiming alteration or corruption of the data or operating system. 
  • Ensures that no unauthorized writes are made to the original media by viruses, by "booby trap" defense schemes, by the operating system, by applications that write back to the media to cache data, or by other inadvertent means. 
  • Recovers, unlocks and accesses deleted files, hidden files or data, password protected files and encrypted files.  Any means of concealing the data is documented for possible use as evidence later. 
  • Lists all of the files in the directory hierarchy, including recovered files. The name, size, time and date of creation or last modification of each file is documented. 
  • Examines data in unallocated space (space that is not currently in use by files but which may contain data) for data relevant to the investigation or inquiry at hand. Potentially relevant data is recovered, printed or copied to other media (such as read-only CD ROM) and the location where the data was found is documented as appropriate. 
  • Examines data in file slack (the area within the last cluster of a file that is not being occupied by the file) for data relevant to the investigation or inquiry at hand.  Potentially relevant data is recovered, printed or copied to other media (such as read-only CD ROM) and the location where found is documented as appropriate. 
  • Examines all normal data files individually. Relevant files are printed or copied to other media (such as read-only CD ROM) and the location where found is documented as appropriate. 
  • If requested, examinations are conducted to determine the author and creation or modification date of particular documents or files, to determine who created particular directories, to determine which computer in an office or location created certain diskettes, and similar comparisons relating to document and file creation and authentication, etc. 
  • All media, exhibits and other items of potential evidence are properly secured and tightly controlled to maintain their integrity and the physical "chain of custody". 
  • A report is prepared indicating the physical description of the computer and media, the configuration of the equipment, what was found, any attempt to hide data, opinions and other comments that may be relative to the inquiry at hand. The report will explain any technical issues or opinions in a manner that can be easily understood. 
  • Limited examinations can also be conducted. These examinations are conducted with the same controls that preserve the original media, prevent contamination, etc. However, these examinations are limited in scope by the requirements of the client. 
 

We fully comply with the IACIS® forensic examination standards (Actually, we wrote them). 


 
image
 image